Assuring the Silver Review Reforms – The Critical Role of Risk Management and Assurance

Reform at scale: why assurance matters more than ever

The reforms flowing from the Silver Review are extensive and interconnected, spanning workforce reductions, entity consolidation and cessations, new budget rules, and major digital and AI initiatives. These changes are also occurring in a context of heightened public scrutiny, union concern, and constrained fiscal capacity.

In this environment, risk management and assurance cannot be treated as compliance afterthoughts. They must act as strategic enablers, helping leaders understand where reform risks are highest, where controls are weakest, and where implementation is drifting from intent, so that timely course corrections can be made.

Internal audit as strategic risk partner

Internal audit functions have a unique, whole-of-organisation vantage point across programs, entities, functions and enabling services. This perspective is critical when reforms cut across traditional boundaries, such as simultaneous workforce reductions, new operating models, and system changes.

To support Silver Review implementation, internal audit plans should shift from a primarily cyclical, control based focus to more anticipatory coverage. This includes proactive advisory work on implementation governance, early stage reviews of reform design and change management processes, and targeted audits of high risk consolidation or savings initiatives before issues crystallise into service failures or integrity concerns. The following sections explore these and other considerations for assurance functions.

Risk management in restructuring and entity reform

Restructuring and entity reform create risks that extend well beyond organisational charts. Service continuity can be threatened if functions move faster than capabilities, control environments can be weakened when roles and processes shift, employee morale and retention of corporate knowledge can suffer if risks to employee wellbeing are not considered, and governance clarity can suffer where responsibilities are split across new structures.

Risk leaders and assurance functions should ensure that entity changes and workforce rebalancing are supported by structured risk assessments that consider service impact, control redesign, stakeholder confidence, employee wellbeing, and regulatory obligations. This includes clarifying owners for key risks during transition, updating risk registers to reflect new structures, and ensuring that critical controls are re established quickly in new entities or operating models.

Digital and AI assurance in practice

The Silver Review’s emphasis on shared platforms, digitisation and AI creates a new layer of risk and assurance considerations. In response, core themes for risk and internal audit functions include a greater focus on data governance and quality, cyber security, algorithmic decision-making (i.e. the use of automated approvals or AI chatbots), and third-party and vendor risk for cloud and software-as-a-service solutions.

For AI in particular, assurance activities should test whether digital and AI initiatives are being designed and operated with clear governance, defined accountability for decisions, and controls that address fairness, privacy, transparency and security. This includes assessing model risk management for AI, verifying the traceability and explainability of AI enabled decisions, and ensuring that digital transformations do not inadvertently undermine existing controls.

Performance and benefits realisation audit

Beyond financial savings, the Silver Review is intended to improve efficiency, service quality and long-term sustainability. Internal audit and risk functions are well placed to test whether these broader benefits are being realised, and to highlight where reforms are creating unintended consequences.

This may involve auditing benefits realisation frameworks, checking the integrity of data used to report progress, and validating that key performance indicators reflect both efficiency and service outcomes. Independent review can help VPS leaders understand whether apparent savings are genuine, or whether they are being offset by lower quality, higher risk or cost transfer to other parts of the system.

Governance, ethics and culture in the VPS

Reform on this scale will inevitably stress existing governance and cultural norms. There is a risk that pressure to deliver savings and meet milestones can crowd out frank and fearless advice, discourage escalation of issues, or create tolerance for shortcuts in process or oversight.

Risk and assurance leaders should explicitly consider governance, ethics and culture within their work programs, testing whether decision making structures are functioning as intended, whether integrity and behaviour expectations are understood, and whether staff feel safe to raise concerns during change. This lens is particularly important in areas already under heightened community and parliamentary scrutiny.

Assuring change management across the VPS

The success of the Silver Review will depend as much on how change is managed as on the technical quality of reform design. Poorly planned or communicated change can damage morale, increase attrition, and undermine the very capabilities needed to deliver reform.

Internal audit and risk leaders can provide valuable insight by assessing the effectiveness of change management across major initiatives. This includes reviewing governance of change programs, stakeholder engagement and communication plans, training and capability uplift, and mechanisms for monitoring cultural and workforce impacts. Assurance over change management helps VPS leaders understand whether reforms are being implemented in a way that is sustainable for people as well as for budgets.

Building a reformready internal audit and risk function

To respond effectively, internal audit and risk functions will need to re-prioritise their plans and uplift skills in areas such as digital and data, AI, complex program delivery, and change risk.

Integrated assurance planning, spanning internal audit, enterprise risk, finance, ICT, HR and safety, can help reduce duplication and close coverage gaps. By coordinating who looks at what, and when, leaders and Audit and Risk Committees gain a more coherent view of reform risks and control effectiveness.

How Protiviti Australia can help

Protiviti understands that each VPS department and public sector entity is experiencing the Silver Review differently, with unique risk profiles, reform portfolios and assurance needs. A generic approach to assurance will not provide the confidence that leaders, committees and the community require.

Our public sector specialists work with risk and internal audit leaders to design and deliver transformation focused assurance that is tailored to each organisation’s context, including:

• Portfolio level risk mapping and implementation governance reviews for major reform programs.
• Independent assurance over restructures, entity changes, shared services migrations, and new and redesigned process flows.
• Reviews of digital, data and AI risk management frameworks and related control environments.
• Assessment of change management effectiveness, including governance, communication and people related risks.
• Support for integrated assurance planning across internal audit, risk, finance and ICT functions.

Our team has extensive experience supporting state and federal agencies through high profile reform and transformation, helping leaders demonstrate that change is being delivered safely, ethically and in line with public value expectations.

Closing the series: where to from here?

This final blog in Protiviti Australia’s four-part series has focused on the critical role of risk management and assurance in safeguarding the Silver Review reforms. Together, the series has explored what the Review means for VPS leaders, finance decision-makers, technology leaders and now assurance and risk functions, highlighting that sustainable reform requires disciplined governance, strong controls, responsible use of digital and AI, and careful stewardship of people and culture.

Revisit the rest of the series:

• Blog 1: Resetting the Victorian Public Service: What the Silver Review Means for VPS Leaders
• Blog 2: Digitising the VPS – Shared Platforms, AI and the Responsibilities of Technology Leaders
• Blog 3: Silver Review Implications for VPS Financial Decision Makers: Guardrails, Savings and Financial Stewardship